CVE-2026-44237
Analyzed Analyzed - Analysis Complete
OAuth2 Token Bypass in FreePBX

Publication date: 2026-05-29

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client_id is required. The validateClient() method in ClientRepository.php unconditionally returns true, allowing any party with knowledge of a valid client_id to obtain OAuth2 access tokens without providing the correct client_secret. This vulnerability is fixed in 17.0.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44237
EUVD
EUVD-2026-33300
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sangoma freepbx to 17.0.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1390 The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in FreePBX's API module allows unauthorized access to OAuth2 access tokens, potentially enabling attackers to gain full read/write access to all GraphQL mutations and queries if the default gql scope is enabled.

Such unauthorized access could lead to exposure or manipulation of sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict access controls and protection of personal and health information.

Mitigations such as updating to version 17.0.8 or later, restricting access to the Administrator Control Panel, denying access from hostile networks, and securing backups are necessary to maintain compliance and reduce risk.

Detection Guidance

Detection of this vulnerability involves verifying the version of the FreePBX API module to ensure it is 17.0.8 or later, as versions prior to 17.0.8 are vulnerable.

Since the vulnerability allows bypassing OAuth2 authentication with knowledge of a valid client_id, monitoring for unusual OAuth2 token issuance without correct client_secret validation could indicate exploitation attempts.

No specific detection commands are provided in the available resources.

Executive Summary

The vulnerability in FreePBX's API module (prior to version 17.0.8) involves improper validation of client credentials during OAuth2 token issuance. Specifically, the validateClient() method in ClientRepository.php always returns true, allowing anyone who knows a valid client_id to obtain OAuth2 access tokens without needing the correct client_secret.

The client_id is a randomized 64-character string that can only be obtained through an authenticated Administrator Control Panel session or access to a backup.

This flaw enables attackers to bypass OAuth2 authentication and gain unauthorized access.

Impact Analysis

An attacker who knows a valid client_id can bypass OAuth2 authentication and obtain access tokens without the correct client_secret.

With these tokens, the attacker can gain full read and write access to all GraphQL mutations and queries if the default gql scope is enabled.

This could lead to unauthorized access, data manipulation, and potentially full control over the FreePBX system's API functions.

Mitigation Strategies

To mitigate the CVE-2026-44237 vulnerability in FreePBX's API module, you should update the API module to version 17.0.8 or later.

  • Restrict access to the Administrator Control Panel to authorized users only.
  • Deny access to the Administrator Control Panel from hostile or untrusted networks.
  • Maintain secure control of backups to prevent unauthorized access to client_id values.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44237. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart